Wireless roaming using a distributed store

ABSTRACT

Systems, methods, and computer-readable storage media for wireless roaming are disclosed. An access point receives a communication request from a wireless device and determines a home broadcast domain associated with the wireless device. The access point determines that the home broadcast domain is different than the broadcast domain associated with the access point and proceeds to identify a second access point that is associated with the home broadcast domain of the wireless device. The access point establishes a tunnel between the access point and the second access point for routing traffic associated with the wireless device.

RELATED APPLICATIONS

The instant application is a continuation of U.S. patent applicationSer. No. 14/591,737, filed on Jan. 7, 2015 entitled WIRELESS ROAMINGUSING A DISTRIBUTED STORE, the contents of which are expresslyincorporated herein by reference in its entirety.

TECHNICAL FIELD

The present technology pertains to wireless roaming, and morespecifically to roaming among wireless access points that is implementedusing a distributed store.

BACKGROUND

Computer networks are frequently divided or extended to include logicalsegments in order to address security and scalability concerns. Thevarious logical segments in the network often include wireless accesspoints to allow devices to connect wirelessly to the network.Unfortunately, the logical segments generally prevent devices fromroaming across segments without service interruption. In particular,when a device moves from one logical segment to another, the session isinterrupted and the connection must be re-established. Accordingly, thebenefits of wireless technologies, which allow users to move with someflexibility, are significantly limited in current networks.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to describe the manner in which the above-recited and otheradvantages and features of the disclosure can be obtained, a moreparticular description of the principles briefly described above will berendered by reference to specific embodiments thereof which areillustrated in the appended drawings. Understanding that these drawingsdepict only exemplary embodiments of the disclosure and are nottherefore to be considered to be limiting of its scope, the principlesherein are described and explained with additional specificity anddetail through the use of the accompanying drawings in which:

FIG. 1 illustrates a schematic block diagram of an example cloudarchitecture including nodes/devices interconnected by various methodsof communication;

FIG. 2 illustrates a schematic block diagram of an example cloud servicemanagement system;

FIG. 3 illustrates an example system for implementing wireless roaming;

FIG. 4 illustrates an example method for wireless roaming using adistributed store;

FIG. 5 illustrates an example system for implementing wireless roaming;

FIG. 6 illustrates an example method for configuring a distributed storefor wireless roaming;

FIG. 7 illustrates an example method embodiment;

FIG. 8 illustrates an example network device; and

FIGS. 9A and 9B illustrate example system embodiments.

DESCRIPTION OF EXAMPLE EMBODIMENTS

Various embodiments of the disclosure are discussed in detail below.While specific implementations are discussed, it should be understoodthat this is done for illustration purposes only. A person skilled inthe relevant art will recognize that other components and configurationsmay be used without parting from the spirit and scope of the disclosure.

Overview:

Additional features and advantages of the disclosure will be set forthin the description which follows, and in part will be obvious from thedescription, or can be learned by practice of the herein disclosedprinciples. The features and advantages of the disclosure can berealized and obtained by means of the instruments and combinationsparticularly pointed out in the appended claims. These and otherfeatures of the disclosure will become more fully apparent from thefollowing description and appended claims, or can be learned by thepractice of the principles set forth herein.

The subject technology provides embodiments for wireless roaming in anetwork. The method includes receiving a communication request from awireless device at a first access point. The first access point candetermine a home broadcast domain associated with the wireless deviceand it can also determine the broadcast domain associated with the firstaccess point. Upon determining that the home broadcast domain associatedwith the device is different from the broadcast domain associated withthe first access point, the first access point can identify a secondaccess point that is associated with the same home broadcast domain asthe device. The first access point can establish a tunnel between thefirst access point and the second access point for routing trafficassociated with the device.

DETAILED DESCRIPTION

A computer network can include a system of hardware, software,protocols, and transmission components that collectively allow separatedevices to communicate, share data, and access resources, such assoftware applications. More specifically, a computer network is ageographically distributed collection of nodes interconnected bycommunication links and segments for transporting data betweenendpoints, such as personal computers and workstations. Many types ofnetworks are available, ranging from local area networks (LANs) and widearea networks (WANs) to overlay and software-defined networks, such asvirtual extensible local area networks (VXLANs), and virtual networkssuch as virtual LANs (VLANs) and virtual private networks (VPNs).

LANs typically connect nodes over dedicated private communications linkslocated in the same general physical location, such as a building orcampus. WANs, on the other hand, typically connect geographicallydispersed nodes over long-distance communications links, such as commoncarrier telephone lines, optical lightpaths, synchronous opticalnetworks (SONET), or synchronous digital hierarchy (SDH) links. LANs andWANs can include layer 2 (L2) and/or layer 3 (L3) networks and devices.

The Internet is an example of a public WAN that connects disparatenetworks throughout the world, providing global communication betweennodes on various networks. The nodes typically communicate over thenetwork by exchanging discrete frames or packets of data according topredefined protocols, such as the Transmission Control Protocol/InternetProtocol (TCP/IP). In this context, a protocol can refer to a set ofrules defining how the nodes interact with each other. Computer networksmay be further interconnected by intermediate network nodes, such asrouters, switches, hubs, or access points (APs), which can effectivelyextend the size or footprint of the network.

Networks can be segmented into subnetworks to provide a hierarchical,multilevel routing structure. For example, a network can be segmentedinto subnetworks using subnet addressing to create network segments.This way, a network can allocate various groups of IP addresses tospecific network segments and divide the network into multiple logicalnetworks.

In addition, networks can be divided into logical segments calledvirtual networks, such as VLANs, which connect logical segments. Forexample, one or more LANs can be logically segmented to form a VLAN. AVLAN allows a group of machines to communicate as if they were in thesame physical network, regardless of their actual physical location.Thus, machines located on different physical LANs can communicate as ifthey were located on the same physical LAN. Interconnections betweennetworks and devices can also be created using routers and tunnels, suchas VPN or secure shell (SSH) tunnels. Tunnels can encrypt point-to-pointlogical connections across an intermediate network, such as a publicnetwork like the Internet. This allows secure communications between thelogical connections and across the intermediate network. Byinterconnecting networks, the number and geographic scope of machinesinterconnected, as well as the amount of data, resources, and servicesavailable to users can be increased.

Further, networks can be extended through network virtualization.Network virtualization allows hardware and software resources to becombined in a virtual network. For example, network virtualization canallow multiple numbers of VMs to be attached to the physical network viarespective VLANs. The VMs can be grouped according to their respectiveVLAN, and can communicate with other VMs as well as other devices on theinternal or external network.

To illustrate, overlay networks generally allow virtual networks to becreated and layered over a physical network infrastructure. Overlaynetwork protocols, such as Virtual Extensible LAN (VXLAN), NetworkVirtualization using Generic Routing Encapsulation (NVGRE), NetworkVirtualization Overlays (NVO3), and Stateless Transport Tunneling (STT),provide a traffic encapsulation scheme which allows network traffic tobe carried across L2 and L3 networks over a logical tunnel. Such logicaltunnels can be originated and terminated through virtual tunnel endpoints (VTEPs).

Moreover, overlay networks can include virtual segments, such as VXLANsegments in a VXLAN overlay network, which can include virtual L2 and/orL3 overlay networks over which VMs communicate. The virtual segments canbe identified through a virtual network identifier (VNI), such as aVXLAN network identifier, which can specifically identify an associatedvirtual segment or domain.

Networks can include various hardware or software appliances or nodes tosupport data communications, security, and provision services. Forexample, networks can include routers, hubs, switches, APs, firewalls,repeaters, intrusion detectors, servers, VMs, load balancers,application delivery controllers (ADCs), and other hardware or softwareappliances. Such appliances can be distributed or deployed over one ormore physical, overlay, or logical networks. Moreover, appliances can bedeployed as clusters, which can be formed using layer 2 (L2) and layer 3(L3) technologies. Clusters can provide high availability, redundancy,and load balancing for flows associated with specific appliances ornodes. A flow can include packets that have the same source anddestination information. Thus, packets originating from device A toservice node B can all be part of the same flow.

Endpoint groups (EPGs) can also be used in a network for mappingapplications to the network. In particular, EPGs can use a grouping ofapplication endpoints in a network to apply connectivity and policy tothe group of applications. EPGs can act as a container for groups orcollections of applications, or application components, and tiers forimplementing forwarding and policy logic. EPGs also allow separation ofnetwork policy, security, and forwarding from addressing by insteadusing logical application boundaries.

Appliances or nodes, as well as clusters, can be implemented in clouddeployments. Cloud deployments can be provided in one or more networksto provision computing services using shared resources. Cloud computingcan generally include Internet-based computing in which computingresources are dynamically provisioned and allocated to client or usercomputers or other devices on-demand, from a collection of resourcesavailable via the network (e.g., “the cloud”). Cloud computingresources, for example, can include any type of resource, such ascomputing, storage, network devices, applications, virtual machines(VMs), services, and so forth. For instance, resources may includeservice devices (firewalls, deep packet inspectors, traffic monitors,load balancers, etc.), compute/processing devices (servers, CPU's,memory, brute force processing capability), storage devices (e.g.,network attached storages, storage area network devices), etc. Inaddition, such resources may be used to support virtual networks,virtual machines (VM), databases, applications (Apps), etc. Also,services may include various types of services, such as monitoringservices, management services, communication services, data services,bandwidth services, routing services, configuration services, wirelessservices, architecture services, etc.

The cloud may include a “private cloud,” a “public cloud,” and/or a“hybrid cloud.” A “hybrid cloud” can be a cloud infrastructure composedof two or more clouds that inter-operate or federate through technology.In essence, a hybrid cloud is an interaction between private and publicclouds where a private cloud joins a public cloud and utilizes publiccloud resources in a secure and scalable manner. In some cases, thecloud can include one or more cloud controllers which can help manageand interconnect various elements in the cloud as well as tenants orclients connected to the cloud.

Cloud controllers and/or other cloud devices can be configured for cloudmanagement. These devices can be pre-configured (i.e., come “out of thebox”) with centralized management, layer 7 (L7) device and applicationvisibility, real time web-based diagnostics, monitoring, reporting,management, and so forth. As such, in some embodiments, the cloud canprovide centralized management, visibility, monitoring, diagnostics,reporting, configuration (e.g., wireless, network, device, or protocolconfiguration), traffic distribution or redistribution, backup, disasterrecovery, control, and any other service. In some cases, this can bedone without the cost and complexity of specific appliances or overlaymanagement software.

The disclosed technology addresses the need in the art for flexible,reliable, and transparent wireless roaming. Disclosed are systems,methods, and computer-readable storage media for wireless roaming acrossnetwork segments. A description of cloud computing environments, asillustrated in FIGS. 1 and 2, is first disclosed herein. A discussion ofwireless roaming and concepts related to a distributed store for storingdata entries across devices will then follow, including examples andvariations as illustrated in FIGS. 3-7. The discussion concludes with abrief description of example devices, as illustrated in FIGS. 8 and9A-B. These variations shall be described herein as the variousembodiments are set forth. The disclosure now turns to FIG. 1.

FIG. 1 illustrates a schematic block diagram of an example cloudarchitecture 100 including nodes/devices interconnected by variousmethods of communication. Cloud 150 can be a public, private, and/orhybrid cloud system. Cloud 150 can include resources, such as one ormore Firewalls 197; Load Balancers 193; WAN optimization platforms 195;devices 187, such as switches, routers, intrusion detection systems,Auto VPN systems, or any hardware or software network device; servers180, such as dynamic host configuration protocol (DHCP), domain namingsystem (DNS), or storage servers; virtual machines (VMs) 190;controllers 200, such as a cloud controller or a management device; orany other resource.

Cloud resources can be physical, software, virtual, or any combinationthereof. For example, a cloud resource can include a server running oneor more VMs or storing one or more databases. Moreover, cloud resourcescan be provisioned based on requests (e.g., client or tenant requests),schedules, triggers, events, signals, messages, alerts, agreements,necessity, or any other factor. For example, the cloud 150 can provisionapplication services, storage services, management services, monitoringservices, configuration services, administration services, backupservices, disaster recovery services, bandwidth or performance services,intrusion detection services, VPN services, or any type of services toany device, server, network, client, or tenant.

In addition, cloud 150 can handle traffic and/or provision services. Forexample, cloud 150 can provide configuration services, such as auto VPN,automated deployments, automated wireless configurations, automatedpolicy implementations, and so forth. In some cases, the cloud 150 cancollect data about a client or network and generate configurationsettings for specific service, device, or networking deployments. Forexample, the cloud 150 can generate security policies, subnetting androuting schemes, forwarding schemes, NAT settings, VPN settings, and/orany other type of configurations. The cloud 150 can push or transmit thenecessary data and settings to specific devices or components to managea specific implementation or deployment. For example, the cloud 150 cangenerate VPN settings, such as IP mappings, port number, and securityinformation, and send the VPN settings to specific, relevant device(s)or component(s) identified by the cloud 150 or otherwise designated. Therelevant device(s) or component(s) can then use the VPN settings toestablish a VPN tunnel according to the settings. As another example,the cloud 150 can generate and manage distributed store settings, aswill be described below with reference to FIG. 6.

To further illustrate, cloud 150 can provide specific services forclient A. For example, cloud 150 can handle traffic, deploy a network orspecific network components, configure links or devices, automateservices or functions, or provide any other services for client A. Othernon-limiting example services by cloud 150 can include networkadministration services, network monitoring services, content filteringservices, application control, WAN optimization, firewall services,gateway services, storage services, protocol configuration services,wireless deployment services, and so forth.

To this end, client A can connect with cloud 150 through network 160.More specifically, client A can connect with cloud 150 through network160, in order to access resources from cloud 150, communicate with cloud150, or receive any services from cloud 150. LAN A (110A) and/or LAN B(110B) of client A can connect with cloud 150 through network 160.Network 160 can refer to a public network, such as the Internet; aprivate network, such as a LAN; or any other network, such as a VPN oran overlay network. LAN A and LAN B can connect with each other directlyvia a wired and/or wireless connection, or indirectly via anintermediate network(s) or device(s). For example, LAN A and LAN B canconnect through link 112. The link 112 can be a wired or wirelessconnection; a tunnel, such as a VPN or SSH tunnel; or any otherconnection.

In some cases, cloud 150 can maintain information about LAN A, LAN B,link 112, and/or any other devices from client A, in order to provide orsupport specific services for client A, such as distributed storeconfiguration that can be used to enable wireless roaming among wirelessaccess points. For example, cloud 150 can establish or maintain VLAN orbroadcast domain (BD) configurations or settings for use in wirelessroaming, or manage a distributed store containing VLAN or BDconfigurations or settings for wireless roaming. Cloud 150 can alsomaintain one or more links or tunnels to client A and/or any componentsin client A. For example, cloud 150 can maintain a VPN tunnel to one ormore devices in LAN A and/or LAN B. In some cases, cloud 150 canconfigure the VPN tunnel for client A, maintain the VPN tunnel, orautomatically update or establish any link or tunnel to client A or anydevices in client A.

Cloud 150 can similarly provide one or more services to client B, aspreviously described with respect to client A. Client B can use router120 to communicate with cloud 150 through network 162. Router 120 canconnect to cloud 150 through network 162 in order to receive service(s),access data, send data, store data, extend client B's network, managetraffic or devices, etc. Like network 160, network 162 can include oneor more networks, which can include a public network, a private network,or any other type of network(s).

Router 120 can connect to server 122, in order to connect server 122 tonetwork 162, as well as cloud 150 and/or the Internet. Server 122 caninclude any type of server or server setup, such as a web server, adomain controller, a database server, a storage server, a media server,a RADIUS server, a DNS server, a DHCP server, a file server, a networkmanagement server, an email server, datacenter, a cluster of servers,etc. Moreover, server 122 can connect to device A (124) and device B(126), either directly or indirectly through one or more L2 or L3devices, such as a switch, hub, or router. This way, server 122 canprovide services to the devices A and B (124 and 126). Device A (124)and device B (126) can be any devices with processing and/or storagecapability, such as personal computers, mobile phones (e.g.,smartphones), gaming systems, portable computers (e.g., laptops,tablets, etc.), set-top boxes, smart televisions, vehicles, mediaplayers, networking devices, or any other device.

Router 130 and device C (132) can also connect to cloud 150 to receiveone or more services, settings, or capabilities, as previouslydescribed. In particular, device C (132) can connect with router 130,which can connect to cloud 150 through network 164. Accordingly, deviceC (132) can communicate with cloud 150 through router 130 and network164. Network 164 can include one or more networks, which can include aprivate network, a public network, or any other type of network(s).Moreover, device C (132) can be any device with processing capability,such as device A (124) or device B (126) previously described.

Those skilled in the art will understand that the cloud architecture 150can include any number of nodes, devices, links, networks, orcomponents. In fact, embodiments with different numbers and/or types ofclients, networks, nodes, cloud components, servers, softwarecomponents, devices, virtual or physical resources, configurations,topologies, services, appliances, deployments, or network devices arealso contemplated herein. Further, cloud 150 can include any number ortype of resources, which can be accessed and utilized by clients ortenants. The illustration and examples provided herein are forexplanation purposes.

Moreover, as far as communications within the cloud architecture 100,packets (e.g., traffic and/or messages) can be exchanged among thevarious nodes and networks in the cloud architecture 100 using specificnetwork communication protocols. In particular, packets can be exchangedusing wired protocols, wireless protocols, or any other protocols. Somenon-limiting examples of protocols can include protocols from theInternet Protocol Suite, such as TCP/IP; OSI (Open SystemsInterconnection) protocols, such as L1-L7 protocols; routing protocols,such as RIP, IGP, BGP, STP, ARP, OSPF, EIGRP, NAT; or any otherprotocols or standards, such as HTTP, SSH, SSL, RTP, FTP, SMTP, POP,PPP, NNTP, IMAP, Telnet, SSL, SFTP, WIFI, Bluetooth, VTP, ISL, IEEE 802standards, L2TP, IPSec, etc. In addition, various hardware and softwarecomponents or devices can be implemented to facilitate communicationsboth within a network and between networks. For example, switches, hubs,routers, access points (APs), antennas, network interface cards (NICs),modules, cables, firewalls, servers, repeaters, sensors, etc., can beimplemented to facilitate communications.

FIG. 2 illustrates a schematic block diagram of an example cloudcontroller 200. The cloud controller 200 can serve as a cloud servicemanagement system for the cloud 150. In particular, the cloud controller200 can manage cloud operations, client communications, serviceprovisioning, network configuration and monitoring, etc. For example,the cloud controller 200 can manage cloud service provisioning, such ascloud storage, media, streaming, security, or administration services.In some embodiments, the cloud controller 200 can manage or configure adistributed store to facilitate wireless roaming, as described in theFIGs. below.

For example, the cloud controller 200 can analyze a network anddesignate the network nodes that will host the distributed store. Thecloud controller 200 can propagate the information about the distributedstore throughout the network to facilitate access to the informationstored on the designated nodes. The cloud controller 200 can monitor thenetwork and update the distributed store settings as required.Additional details regarding the operation of the cloud controller 200with respect to the distributed store are set forth in the descriptionof FIG. 6.

The cloud controller 200 can include several subcomponents, such as ascheduling function 204, a dashboard 206, data 208, a networkingfunction 210, a management layer 212, and a communications interface202. The various subcomponents can be implemented as hardware and/orsoftware components. Moreover, although FIG. 2 illustrates one exampleconfiguration of the various components of the cloud controller 200,those of skill in the art will understand that the components can beconfigured in a number of different ways and can include any other typeand number of components. For example, the networking function 210 andmanagement layer 212 can belong to one software module or multipleseparate modules. Other modules can be combined or further divided upinto more subcomponents.

The scheduling function 204 can manage scheduling of procedures, events,or communications. For example, the scheduling function 204 can schedulewhen resources should be allocated from the cloud 150. As anotherexample, the scheduling function 204 can schedule when specificinstructions or commands should be transmitted to the client 214. Insome cases, the scheduling function 204 can provide scheduling foroperations performed or executed by the various subcomponents of thecloud controller 200. The scheduling function 204 can also scheduleresource slots, virtual machines, bandwidth, device activity, statuschanges, nodes, updates, etc.

The dashboard 206 can provide a frontend where clients can access orconsume cloud services. For example, the dashboard 206 can provide aweb-based frontend where clients can configure client devices ornetworks that are cloud-managed, provide client preferences, specifypolicies, enter data, upload statistics, configure interactions oroperations, etc. In some cases, the dashboard 206 can provide visibilityinformation, such as views of client networks or devices. For example,the dashboard 206 can provide a view of the status or conditions of theclient's network, the operations taking place, services, performance, atopology or layout, specific network devices, protocols implemented,running processes, errors, notifications, alerts, network structure,ongoing communications, data analysis, etc.

Indeed, the dashboard 206 can provide a graphical user interface (GUI)for the client 214 to monitor the client network, the devices,statistics, errors, notifications, etc., and even make modifications orsetting changes through the GUI. The GUI can depict charts, lists,tables, maps, topologies, symbols, structures, or any graphical objector element. In addition, the GUI can use color, font, shapes, or anyother characteristics to depict scores, alerts, or conditions. In somecases, the dashboard 206 can also handle user or client requests. Forexample, the client 214 can enter a service request through thedashboard 206.

The data 208 can include any data or information, such as managementdata, statistics, settings, preferences, profile data, logs,notifications, attributes, configuration parameters, client information,network information, and so forth. For example, the cloud controller 200can collect network statistics from the client 214 and store thestatistics as part of the data 208. In some cases, the data 208 caninclude performance and/or configuration information. This way, thecloud controller 200 can use the data 208 to perform management orservice operations for the client 214. The data 208 can be stored on astorage or memory device on the cloud controller 200, a separate storagedevice connected to the cloud controller 200, or a remote storage devicein communication with the cloud controller 200.

The networking function 210 can perform networking calculations, such asnetwork addressing, or networking service or operations, such as autoVPN configuration or traffic routing. For example, the networkingfunction 210 can perform filtering functions, switching functions,failover functions, high availability functions, network or devicedeployment functions, resource allocation functions, messagingfunctions, traffic analysis functions, port configuration functions,mapping functions, packet manipulation functions, path calculationfunctions, loop detection, cost calculation, error detection, orotherwise manipulate data or networking devices. In some embodiments,the networking function 210 can handle networking requests from othernetworks or devices and establish links between devices. In otherembodiments, the networking function 210 can perform queueing,messaging, or protocol operations.

The management layer 212 can include logic to perform managementoperations. For example, the management layer 212 can include the logicto allow the various components of the cloud controller 200 to interfaceand work together. The management layer 212 can also include the logic,functions, software, and procedure to allow the cloud controller 200perform monitoring, management, control, and administration operationsof other devices, the cloud 150, the client 214, applications in thecloud 150, services provided to the client 214, or any other componentor procedure. The management layer 212 can include the logic to operatethe cloud controller 200 and perform particular services configured onthe cloud controller 200.

Moreover, the management layer 212 can initiate, enable, or launch otherinstances in the cloud controller 200 and/or the cloud 150. In someembodiments, the management layer 212 can also provide authenticationand security services for the cloud 150, the client 214, the controller214, and/or any other device or component. Further, the management layer212 can manage nodes, resources, VMs, settings, policies, protocols,communications, etc. In some embodiments, the management layer 212 andthe networking function 210 can be part of the same module. However, inother embodiments, the management layer 212 and networking function 210can be separate layers and/or modules.

The communications interface 202 allows the cloud controller 200 tocommunicate with the client 214, as well as any other device or network.The communications interface 202 can be a network interface card (NIC),and can include wired and/or wireless capabilities. The communicationsinterface 202 allows the cloud controller 200 to send and receive datafrom other devices and networks. In some embodiments, the cloudcontroller 200 can include multiple communications interfaces forredundancy or failover. For example, the cloud controller 200 caninclude dual NICs for connection redundancy.

FIG. 3 illustrates an example system 300 used to implement wirelessroaming. The system 300 can include a network 306 connected to a WideArea Network (WAN) 304 such as the Internet. In some embodiments,network 306 may be a private network that can include one or more localarea networks (LANs), VLANs, etc. As one of ordinary skill in the artwill readily recognize, network 306 can also or otherwise be connectedto any other public or private network in other embodiments. However,WAN 304 is used as a non-limiting example for the sake of clarity.

The network 306 can include one or more devices such as device 314.Device 314 can include, for example, a client or host device such as apersonal computer or terminal, desktop, laptop, tablet, mobile phone,wireless media player, gaming system, etc. For simplicity, network 306includes a single device 314, but one skilled in the art will recognizethat network 306 can include any number of devices.

In addition, network 306 can include access points (APs) 312 _(A), 312_(B), 312 _(C) . . . 312 _(N) (collectively 312). APs 312 can providewireless network access to device 314. APs 312 can be connected tonetwork devices 310 _(A) and 310 _(B) (collectively 310). The networkdevices 310 can include L2 and/or L3 devices, such as switches orrouters, for example. Those skilled in the art will recognize that thepresent technology is not limited to a particular network configurationor size.

In network 306, AP 312 _(A) can send and receive network traffic vianetwork device 310 _(A). Similarly, AP 312 _(B) and AP 312 _(C) can sendand receive network traffic via network device 310 _(B). Network devices310 can connect to Gateway 308. Gateway 308 can be a node such as arouter that provides access to network 306. For example, Gateway 308 canconnect to one or more Internet Service Providers (ISPs) to allownetwork 306 to access WAN 304, i.e. the Internet. In addition, a cloudcontroller 200 can access network 306 by way of WAN 304 and be used toperform a number of network management operations for network 306, asdescribed above with respect to FIG. 2 and as described further herein.

Device 314 can include a wireless transceiver that is capable ofcommunicating with APs 312. When device 314 is located within the signalrange of AP 312 _(A), it can establish a communication session andbecome associated with AP 312 _(A). In some embodiments, device 314 canprovide particular credentials before it can become associated with AP312 _(A). For example, the Media Access Control (MAC) address of device314 can be used to determine if device 314 is allowed access to network306. Alternatively, Remote Authentication Dial in User Service (RADIUS)can be used to determine if device 314 is allowed access to network 306.Authentication may require the user of device 314 to enter a particularpassword before device 314 can access network 306. In some cases, one ormore of the APs 312 can be part of a wireless network, which can includean SSID (service set identifier). Thus, device 314 can join the wirelessnetwork using the SSID and/or any other credentials.

Upon successful association, device 314 can gain access to network 306,and can obtain network or data services via access point 312 _(A).Network and data services can include internet web browsing, gaming,voice over internet protocol (VOIP), instant messaging, video streaming,video conferencing, computing resources, file sharing, etc. The networkand data services can be provided to device 314 according to an address,such as an internet protocol (IP) address, associated with device 314.The IP address of device 314 can be assigned as a static IP address orit can be assigned dynamically according to the Dynamic HostConfiguration Protocol (DHCP).

The association of device 314 to a particular access point such as AP312 _(A) can also be used to determine a home broadcast domain fordevice 314. The home broadcast domain is the broadcast domain thatdevice 314 is physically or logically connected to. In one embodiment,the home broadcast domain can be based on a group policy that assigns aVLAN tag to device 314 by using a particular network protocol such asRADIUS. Alternatively, the home broadcast domain can be based on thenative VLAN or the default VLAN of the AP that a device initiallyconnects to—i.e. the home broadcast domain for device 314 can be thenative VLAN of AP 312 _(A).

For ease of explanation, we can assume that the home broadcast domain ofdevice 314 is the native VLAN of AP 312 _(A). For example, we can assumethat AP 312 _(A) has a native VLAN that is equivalent to VLAN 1. Hence,in this example, the home broadcast domain of device 314 is VLAN 1.Traffic can then be routed to device 314 through its home broadcastdomain, which is associated with VLAN 1, while device 314 remainsassociated with AP 312 _(A).

As illustrated in FIG. 3, device 314 has the ability to roam withinnetwork 306 and connect to different APs 312. For example, device 314can roam from AP 312 _(A) to AP 312 _(B) after it has become associatedwith AP 312 _(A). If AP 312 _(B) is also on VLAN 1, device 314 can bereached via the same IP address, as device 314 remains logicallyconnected to the home broadcast domain.

Alternatively, APs 312 can be configured to connect to different VLANs.For example, AP 312 _(B) can be configured to connect to VLAN 2, whichcan correspond to a different VLAN than VLAN 1 for AP 312 _(A). In thiscase, when device 314 roams from AP 312 _(A) to AP 312 _(B), AP 312 _(B)can tunnel traffic associated with device 314 to AP 312 _(A). This way,device 314 can maintain its connection to its home broadcast domain(VLAN 1) and avoid interruption in services. By maintaining itsconnection to its home broadcast domain, device 314 can also maintainits IP address. Thus, data routed to device 314 based on its IP addresscan be delivered to device 314 by way of the tunnel 316 that linksdevice 314 back to its original home broadcast domain.

As explained in further detail with respect to FIG. 4 below, AP 312 _(B)can determine that device 314 is roaming from a home broadcast domainthat is different than its own. Accordingly, AP 312 _(B) can identifyand/or select an AP that is connected to the home broadcast domainassociated with device 314, and use the selected AP as an anchor AP fortraffic to/from device 314. An anchor AP can refer to any AP connectedto the home broadcast domain of the device 314, which can be used tomaintain the logical connection between the device 314 and the homebroadcast domain. Thus, once AP 312 _(B) identifies an appropriateanchor AP, it can create a tunnel 316 between AP 312 _(B) and the anchorAP, and route traffic through the tunnel 316. This allows device 314 toremain logically connected to its home broadcast domain even when itroams and connects to another AP that is connected to a differentbroadcast domain. In some embodiments, the tunnel 316 can be a layer 2protocol tunnel or a virtual private network tunnel.

In FIG. 3, AP 312 _(B) determines that device 314 has roamed from an APthat is on VLAN 1 and it creates tunnel 316 between itself (AP 312 _(B))and AP 312 _(A) which is on VLAN 1. Device 314 is then associated withAP 312 _(B), the host AP, and its traffic can be tunneled to/from AP 312_(A), the anchor AP. Accordingly, device 314 can roam among APs that areon different broadcast domains and can maintain its connection to itshome broadcast domains and can also maintain its IP address. Note thatthe tunnel 316 from AP 312 _(B) could be made to any of APs 312 that arewithin the desired home broadcast domain and are thus able to serve asan anchor AP.

As further illustrated in FIG. 3, device 314 can continue to roam fromAP 312 _(B) to AP 312 _(C). Once again, AP 312 _(C) can determine thatdevice 314 is roaming and is associated with a particular home broadcastdomain. If AP 312 _(C) determines that device 314 and AP 312 _(C) are onthe same broadcast domain (both devices are connected to the same VLAN1), then AP 312 _(C) does not need to identify another AP to act as theanchor AP because its home broadcast domain matches that of device 314.Thus, device 314 can remain connected to its home broadcast domainthrough AP 312 _(C). Hence, AP 312 _(C) becomes both the host AP and theanchor AP for device 314. On the other hand, in other cases, if AP 312_(C) determines that device 314 and AP 312 _(C) are on differentbroadcast domains, then AP 312 _(C) can identify an anchor AP and createa tunnel with the identified anchor AP to maintain a connection betweendevice 314 and its home broadcast domain. Here, the anchor AP can be AP312 _(A) or any other AP on the home broadcast domain.

FIG. 4 illustrates an example method 400 for wireless roaming. Themethod 400 begins at step 402 and proceeds to step 404 where a deviceassociates with an access point (AP) such as AP 312 _(N). The AP that isin direct communication with the device is the host AP. Uponassociation, the method proceeds to step 406 to determine whether thedevice is roaming to the host AP from another AP.

To determine whether the device is roaming, the host AP can readinformation from a storage or memory location. In some embodiments, thehost AP can read information from a distributed store. The distributedstore can be hosted on multiple devices. For example, the distributedstore can save data across nodes in the network. In one embodiment, thedistributed store is saved on a designated subset of APs in the network.The distributed store can include data entries, such as key and value,which can identify devices that are presently associated with an AP inthe network. For example, the distributed store can include the MACaddress of the device along with a set of APs that are in the device'shome broadcast domain. The device data can be initially written to thedistributed store by the AP that handles its initial association andserves as both the host AP and the anchor AP.

The data saved in the distributed store can expire if it is notrefreshed periodically. Therefore, when a device associates with a hostAP, the distributed store may not have any record of that device if itis the device's initial association or if the device has beenunassociated for a period of time that exceeds the required data refreshrate. Accordingly, the host AP can determine that the device is notroaming if there is no record of the device in the distributed store.That is, the host AP can issue a read request to the distributed storebased on the device's MAC address. If there is no entry available forthe device's MAC address, the distributed store can respond to let theAP know that no entry is available for that device. Alternatively, theAP may conclude that no data is available in the distributed store if itdoes not receive a response from the distributed store within a certaintime. If the distributed store does not have record of the device, theAP can conclude that the device is not roaming. Alternatively, if thedistributed store returns a record indicating that the device wasassociated with a different virtual access point (i.e. the device ischanging SSID), the AP can again conclude that the device is notroaming. If the AP determines that the device is not roaming, the methodproceeds to step 408 where the host AP creates an entry for the devicein the distributed store.

As mentioned above, the entry in the distributed store can consist ofthe device's MAC address and of a set of APs that are in the device'shome broadcast domain. The APs identified by the entry can then be usedas anchor APs when the device roams to ensure the device remainslogically connected to its home broadcast domain. The host AP canidentify other APs in its same home broadcast domain by performingbroadcast domain discovery. For example, it is possible for an AP on anaccess port to be connected to a VLAN that is numbered differently onanother AP but is actually part of the same broadcast domain. On theother hand, two APs may be connected to VLANs that have the same VLANnumber but are actually different VLANs. Thus, VLANs can be numbereddifferently on different APs. Accordingly, broadcast domain discoveryallows an AP to create equivalence classes among APs. The AP cantherefore identify which APs are connected to the same VLAN even ifdifferent numbering is used.

To perform broadcast domain discovery, the AP can periodically broadcasta broadcast domain announcement packet that contains the AP's VLAN ID(VID) for that particular broadcast domain. Thus, the packet identifiesthe “sender AP” and the corresponding VID. When an AP receives abroadcast domain announcement packet, it can create equivalence classesbased on the (AP, VID) pairs it observes in the particular broadcastdomain used to receive the packet. For example, AP1 can receive a firstpacket on VID1 that identifies (AP2, VID2) and a second packet thatidentifies (AP3, VID3). Thus, AP1 can create an equivalence class basedon observed (AP, VID) pairs between itself, AP2 and AP3, as follows:(AP1, 1)=(AP2, 2)=(AP3, 3).

Broadcast domain discovery allows each AP to gather the (AP, VID) pairsthat currently make up the broadcast domain. Broadcast domainannouncement packets can be sent to all VLANs (i.e. 4,095) potentiallyattached to an AP or to some subset thereof. In some embodiments, thenumber of broadcast domain announcement packets can be limited tominimize network load and bandwidth usage. For example, the AP may beconfigured to send announcement packets only to its native VLAN.Alternatively, the AP may select VLANs that appear in a particularrouting policy to send the announcement packets, or it may send them toany VLAN that it has received announcement packets from.

Having used broadcast domain discovery to gather the (AP, VID) pairs inthe device's home broadcast domain, the host AP can create the deviceentry in the distributed store. The entry can include an identifying setconsisting of a number of the smallest (AP, VID) pairs in the broadcastdomain. In one example, an AP can be represented by its IP address and(AP1, VID1) can be defined as smaller than (AP2, VID2) if AP1<AP2. Inthe event the IP addresses of the two APs are the same, the comparisoncan be made according to the VID. For instance, (AP1, VID1) can bedefined as smaller than (AP2, VID2) if AP1=AP2 and VID1<VID2. In someembodiments, the identifying set can include the three smallest pairs inthe broadcast domain.

The entry can also include a candidate anchor set that identifies anumber of (AP, VID) pairs that are randomly chosen from the samebroadcast domain. In one embodiment, the candidate anchor set caninclude an identifier of the host itself among the candidate anchor set.The randomization of the candidate anchor set can provide better loaddistribution among anchor APs. For example, if two APs createdistributed store entries for two devices that are on the same broadcastdomain, the candidate anchor set for each of those devices will beselected randomly and will have one or more different pairs included inthe set. In addition, the entry in the distributed store can alsoinclude the virtual access point (VAP) or the SSID that the device isassociated with. The entry in the distributed store can also include atimestamp that indicates when the entry was saved. One that is skilledin the art will recognize that the distributed store can be used to saveany other pertinent information about the device configuration, devicesettings, access point, network, etc.

After the host AP creates the entry in the distributed store, the methodproceeds to step 410 where the AP serves as both the host AP and theanchor AP. That is, data from the device is routed in a traditionalmanner, directly through the AP without the need of any tunnel toanother AP. As mentioned above, the data in the distributed store canexpire if it is not refreshed. Thus, in step 424, the host AP canperiodically refresh the distributed store entry while it continues toserve as host AP to the device.

Returning to step 406, if the host AP determines that the device isroaming, the method proceeds to step 412 where the AP determines thedevice's home broadcast domain. The AP can determine the device's homebroadcast domain based on the data it receives from the distributedstore. As discussed above, the distributed store can include one or moresets of (AP, VID) pairs that identify the device's home broadcastdomain. The AP can read the identifying set of pairs from thedistributed store and compare one or more of the sets to the locallystored broadcast domain equivalence classes that the AP has determinedbased on broadcast domain discovery. Alternatively, the AP can read thedevice's candidate set of pairs from the distributed store and compareone or more of the sets to the locally stored broadcast domainequivalence classes that the AP has determined based on broadcast domaindiscovery. In some embodiments, an AP may check more than one pair fromthe identifying set or the candidate anchor set to provide redundancy inthe event an AP has joined or left a broadcast domain. At step 414, ifthe AP determines that it is connected to the device's home broadcastdomain, the method proceeds to step 410 where the AP will once againserve as both host and anchor for the device. For example, if thedistributed store provides (AP2, 2) as one of the identifying pairs, andthe host AP determines that (AP2, 2) is equivalent to its (AP1, 1), thenthe AP can route data directly to the device because it is on the samehome broadcast domain.

Alternatively, if the host AP determines, based on the identifying setor the candidate anchor set obtained from the distributed store, that itis not in the same home broadcast domain as the roaming device, then themethod proceeds to step 416 to identify a second access point to serveas anchor AP for the device. The host AP can randomly select a tentativeanchor AP from the candidate anchor set obtained from the distributedstore. Alternatively, the host AP can select a tentative anchor AP basedon a pre-defined priority, network usage, physical proximity to the hostAP, etc. The host AP can send a message to the tentative anchor APrequesting to set it as the anchor. In some embodiments, the host AP canalso send messages to the other APs in the candidate anchor set to checktheir respective status while it waits for a response from the tentativeanchor AP.

At step 418, the host AP determines if an anchor AP is available. Thehost AP can wait until it receives an acknowledgment from the tentativeanchor AP or until a timeout occurs. If the tentative anchoracknowledges the message from the host AP, then the host AP can set itas the anchor AP. However, if the tentative anchor does not acknowledgethe message, then the host AP can select one of the other candidateanchors to set as the anchor, based on the status request messagespreviously sent. If none of the candidate anchors are available, then noanchor AP is available and the host AP would proceed to anchor thedevice itself in step 410. However, if an anchor AP is available, themethod then proceeds to step 420 where the host AP establishes a tunnelbetween itself and the anchor AP.

Once the tunnel is established between the host AP and the anchor AP,the method proceeds to step 422 where the device's data traffic isrouted through the tunnel. The device is connected to its original homebroadcast domain and can continue to receive data using its original IPaddress. In some embodiments, the data traffic sent via the tunnel isencrypted according to a key that is shared among the APs eitherdirectly or via the distributed store. In other embodiments, the APs canencapsulate packets that are sent via the tunnel such that the Ethernetframe includes a special Layer 3 Roaming (L3R) header inside of a UDP/IPpacket. Thus, the packet format can be as follows: IP | UDP | L3R Header| Ethernet. Other ways to tunnel and encapsulate packets are alsocontemplated herein.

The L3R header can include a field that identifies the VLAN ID of theanchor AP. The L3R header can also include a flag that identifieswhether the device is the source or destination MAC address in theencapsulated packet. For example, an AP may be an anchor AP for onedevice and a host AP for another. Thus, forwarding loops can beprevented by marking a packet as “from anchor” or “to anchor” such thatthe only packets an AP tunnels “to anchor” are those received from thedevice and packets “from anchor” are tunneled from a destination anchorto a host AP. Accordingly, an AP can determine that packets received“from anchor” are to be forwarded to the device.

In addition to routing traffic for the device, the host AP can alsoperform the required distributed store refresh operations, as describedabove. Furthermore, the host AP can send periodic anchor refreshmessages to the anchor AP. In response, the anchor AP can provide thehost AP with any required updates to the candidate set which the host APis responsible for writing to the distributed store. For example, theanchor AP continues to perform broadcast domain discovery and candetermine that a change has occurred to the broadcast domain.Accordingly, the identifying set and the candidate anchor set for thedevice will need to be updated in the distributed store. The anchor APcan communicate the information to the host AP and the host AP canperiodically update the device entry in the distributed store at step424 so that the entry does not expire. Periodic updates of thedistributed store stop when the device disassociates from the host AP.

In some embodiments, the host AP can continue to monitor the candidateanchor APs after the tunnel is established with the current anchor AP.For example, the host AP can perform a periodic “ping” of the other APsin the candidate anchor set. Accordingly, the host AP can performefficient failover operations if the present anchor AP fails to respondto a periodic anchor refresh message by quickly selecting a replacementanchor AP.

FIG. 5 illustrates an example system 500 used to implement wirelessroaming. The system 500 can maintain L3 connectivity when a device roamsacross different logical network segments (e.g., VLANs and broadcastdomains). The system in FIG. 5 is similar to FIG. 3 and includes device514 _(A) and device 514 _(B). As illustrated, both devices areassociated with AP 512 _(B) which is the host AP for each. In addition,AP 512 _(B) has a first tunnel 516 _(A) to communicate with AP 512 _(A)and a second tunnel 516 ₁₃ to communicate with AP 512 _(C).

AP 512 _(A) is the anchor AP for device 514 _(A) and AP 512 _(C) is theanchor AP for device 514 _(B). In one example, both device 514 _(A) and514 _(B) can be in the same home broadcast domain because they eachinitially associated with an AP 512 _(N) that was part of a particularbroadcast domain. The devices can subsequently and independently roam toAP 512 _(B) which can proceed to set up different anchor APs for each ofthe devices 514, even though they are on the same home broadcast domain.This condition can occur because the host AP randomly selects an AP fromthe candidate anchor list when it sets up the anchor for a device. Thus,even if the candidate anchor sets are the same, a different anchor canbe selected. Furthermore, as discussed above, the candidate anchor setscan be randomly selected (AP, VID) pairs from the same broadcast domain.In that situation, it is unlikely that the devices 514 would have thesame candidate anchor set although they are part of the same broadcastdomain.

In this situation, because the host AP 512 _(B) is hosting more than onedevice on the same broadcast domain, it may receive multiple copies ofeach broadcast message for the particular broadcast domain. To avoidreceiving duplicate messages, host AP 512 _(B) can designate one of theanchor APs as the broadcast anchor AP for that particular broadcastdomain. For example, AP 512 _(B) can designate AP 512 _(A) as thebroadcast anchor AP for the broadcast domain that corresponds to bothdevices. Thus, AP 512 _(C) will not forward broadcast domain messagesand AP 512 _(B) can avoid receiving duplicitous messages.

In another embodiment, AP 512 _(B) can determine that it is hostingmultiple devices that are on the same home broadcast domain but areusing separate anchor APs. In response, AP 512 _(B) can reconfigure theanchor APs for one or more of the devices to avoid having separateanchor APs for the same broadcast domain. For example, the anchor fordevice 514 _(B) can be changed to AP 512 _(A) so that it matches theanchor for device 514 _(A).

In the above examples, AP 512 _(B) can determine that two or moredevices are on the same broadcast domain by using the correspondingidentifying sets from the distributed store. For example, device 514_(A) can have an entry in the distributed store that includes theidentifying set for its home broadcast domain. Similarly, device 514_(B) can also have an entry in the distributed store that includes theidentifying set for its home broadcast domain. As described above withrespect to FIG. 4, the identifying set can be selected according to thesmallest (AP, VID) pairs in the broadcast domain. Hence, device 514 _(A)and device 514 _(B) can have one or more common (AP, VID) pair in theiridentifying sets because they are part of the same broadcast domain.Thus, in one embodiment, AP 514 _(A) can determine that device 514 _(A)and device 514 _(B) are on the same home broadcast domain by testing foran intersection among their corresponding identifying sets. Upondetermining that two or more devices are part of the same home broadcastdomain and are anchored to different APs, a host AP can assign abroadcast anchor AP for the particular home broadcast domain.Alternatively, a host AP can reconfigure the anchor APs for the one ormore devices to avoid having multiple anchor APs for the same homebroadcast domain.

FIG. 6 illustrates an example method 600 for configuring the distributedstore to perform wireless roaming. In one embodiment, method 600 can beperformed by a cloud controller 200. Alternatively, method 600 may beperformed by a server or other network device that resides within thenetwork or is communicatively coupled thereto. Although the distributedstore is described with respect to a wireless roaming application, thosethat are skilled in the art will recognize that the distributed storecan be utilized for any number of applications. For example, thedistributed store can be used to save information related to the RADIUSprotocol and properties associated with network devices. Alternatively,the distributed store can be used to maintain network statistics andoptimize network resources. Accordingly, alternative uses for thedistributed store are contemplated herein.

The method begins at step 602 and continues to step 604 where the sizeof the network can be determined. The size of the network can bedetermined using a cloud controller such as the cloud controller 200described in FIG. 2. For example, the size of the network can bedetermined according to the number of APs in the network. The cloudcontroller can provide a GUI interface or a dashboard that depicts thenetwork configuration as well as the number of APs and their propertiesand positions within the network. After the size of the network isdetermined, the method continues to step 606 to determine the size ofthe distributed store.

As discussed above, the distributed store saves information about thedevices that are presently associated with each of the APs in thenetwork. Accordingly, the size of the distributed store can be relatedto the number of devices that the network can support. Each device has adata entry in the distributed store that is a key, value pair whichincludes the device MAC address and a set of identifying (AP, VID) pairsand a candidate anchor set of (AP, VID) pairs. The distributed store canalso provide redundancy in the form of data replication such that it canwithstand one or more failures of a particular node used to save aportion of the distributed store.

The distributed store can be represented in the form of a matrix such asthe distributed store 700 depicted in FIG. 7. Each cell in thedistributed store 700 corresponds to a particular node in the networkthat will be responsible for storing that piece of data. In someembodiments, the distributed store is saved across a subset of theaccess points in the network. The “key” data space along the horizontalaxis can be partitioned across N number of data partitions 704. Each ofthe data partitions 704 can have M number of data replicas 706 along thevertical axis. As one that is skilled in the art will recognize, alarger number of data partitions 704 will allow for more efficient loaddistribution and a larger number of data replicas 706 will increase theredundancy in the system.

To minimize the average load per replica for a given M and N, thedistributed store can be designed such that a particular AP only appearsas a replica in one partition. However, in smaller networks, it may benecessary to allow a particular AP to serve as a replica in more thanone partition. For smaller network sizes, the distributed store can beoptimized to diversify the APs within a partition (replicas) forimproved redundancy.

The key data space can be partitioned using a mod function on the Nnumber of partitions. For example, the key can be hashed mod N in orderto map it to a particular data partition. Once the appropriate partitionis identified, the data is stored on all of the data replicas 706 inthat partition. For instance, partition 704 ₁ includes data replicas forthat partition that are stored on AP1, AP2 and AP3. Likewise, partition704 ₂ is mapped to the second key data space and includes data replicasthat are stored on AP4, AP5 and AP6.

Once the overall structure of the distributed store is determined, themethod can proceed to step 608 where it generates a target set and aconfiguration set of nodes (APs) that can be used for the distributedstore. The target set can correspond to the ideal set of APs, asdetermined by the cloud controller. The configuration set corresponds tothe set of APs that is actually configured to perform the distributedstore function. In some embodiments, the ideal set and the configurationset will be equivalent when the distributed store is initialized.Alternatively, the ideal set may be determined after the configurationset is active and the controller is able to collect statistics ormetrics regarding the operation of the distributed store.

After each of the nodes is configured for use in the distributed store,the method continues to step 612 where the cloud controller propagatesthe information about the distributed store to all of the APs in thenetwork. The information can include, for example, the IP addresses ofeach of the APs that are storing the data for a particular partition.Accordingly, when a device connects to an AP, it can map and store thedata for the device to all replicas in the corresponding data partition.

Once the information about the distributed store is shared with all ofthe APs in the network, the APs can utilize the distributed store toperform wireless roaming. In some embodiments, the controller cancontinue to monitor the network to determine if the distributed storeshould be reconfigured or altered. For example, at step 616 thecontroller monitors the network for trigger conditions that can prompt achange to the distributed store. If no trigger condition is detected,the controller continues to monitor the network at 614.

A trigger condition can include a change in the network such as networkgrowth or network reduction. For example, the initial distributed storemay have been configured based on a network that had 20 APs and thenetwork has since grown to 25 APs. The newly added APs may be located ina different geographic area, on a different/new broadcast domain, or ina new network segment. In particular, an increase in the number ofnetwork segments can make the network susceptible to alienating thedistributed store replicas in the case of a switch failure because thereplicas are stored on APs that are part of the original networksegments. Thus, change in network size can cause a trigger to revisitthe configuration of the distributed store to diversify the location(physical or virtual) of the APs participating in the distributed store.In some embodiments, the change in size to cause a trigger can be set togreater than a pre-defined threshold, such as 25%. Alternatively, thethreshold can be user-configured.

Another example of a trigger condition is that a particular node in thedistributed store is offline/down or has changed its IP address. Each ofthese conditions signifies a loss of redundancy in the distributed storeand therefore requires attention. For example, if the IP address of anode has changed, the other APs will not be able to access the node tostore new data or retrieve existing data.

Yet another example of a trigger condition is that the target set issmaller than the M data replicas and more nodes are now available. Thiswill cause a trigger to reconfigure the distributed store because theoriginal configuration does not have enough replicas to ensure properfailover functionality. The controller recognizes that the newlyavailable nodes can remedy the situation and should be taken advantageof in order to increase the number data replicas 706.

Once a trigger condition is detected at step 616, the method continuesto step 618 where it can regenerate the target set of nodes. Asdescribed above, the particular trigger condition can affect how thetarget set is determined. For example, significant network growth over alarger geographic area or growth in the number of network segments cantrigger the generation of a new target set of nodes that adequatelyrepresents the landscape of the larger network. Alternatively, the newtarget set of nodes can be regenerated in a manner that is independentfrom the old target set.

After the new target set of nodes is generated, the method continues tostep 620 where it can perform an initial update to the configurationset. For example, failed nodes and nodes that have changed IP addresscan be removed from the configuration set and replaced with unique nodesfrom the corresponding partitions in the new target set. In addition,the controller can perform updates to the configuration set such that itmatches the new target set. In one embodiment, all of the nodes can bechanged in a single step such that the configuration set is equivalentto the new target set. Alternatively, updates to the configuration setcan be done in one or more convergence steps toward the target set ofnodes per each partition. A stepwise convergence process of theconfiguration set toward the new target set can be used to ensure thateach partition retains one or more replicas such that the data stored inthe partition remains available. For instance, a subsequent convergencestep can be delayed for a time that is longer than the time a host APtakes to refresh its corresponding device entries in the distributedstore, thus ensuring that the AP that is introduced to the partition inthe first convergence step receives updates from host APs before asecond AP within the partition is removed.

For example, if the first partition in the configuration set currentlyutilizes AP1, AP2, and AP3 and the target set for the first partitionincludes AP1, AP4, and AP5, then the first convergence step could be toreplace AP2 with AP4, yielding a partition of AP1, AP4, and AP3 in theconfiguration set. After AP4 is configured in the distributed store, atime delay can be used to allow host APs to refresh the distributedstore such that AP4 is updated with the relevant partition data. Afterthe time delay, the next convergence step can be to replace AP3 withAP5, yielding a partition in the configuration set of AP1, AP4 and AP5,which matches the desired partition in the new target set.

After updating the configuration set at 620, the method continues tostep 622 where the controller can propagate the new distributed storeinformation, i.e. the new configuration set, to all of the nodes in thenetwork. The controller can implement the changes in the distributedstore by configuring APs that are participating in the distributedstore. The controller can also inform all of the APs in the network ofthe changes in the distributed store and of the IP addresses for thenewly added APs that are part of the distributed store. A host AP thatreceives the new information can continue to periodically update thedistributed store by writing record data to the correct nodes.

After that, the configuration (actual) set is compared to the target setat step 624. If the two sets are equivalent, then the target set hasbeen realized and the method continues to monitor the network at step614. Alternatively, if the two sets are not equivalent, the methodcontinues to step 626 where it can again update the configuration set inaccordance with the desired target set. As discussed above, the updateto the configuration set can be made iteratively in a series ofconvergence steps that modify a single node in a partition at one time.After changes are made to the configuration set, the method returns tostep 622 where it propagates the distributed store changes andconfigurations throughout the network. The aforementioned series ofsteps can be repeated until the desired target set is fully implemented.

While the various examples above are described in terms of specificdevices, such as appliances or branches, one of ordinary skill in theart will readily recognize that the concepts described herein can applyto other devices, networks, or environments. For example, the wirelessroaming concepts can apply to different network or VPN topologies,different types of devices, different protocols, different types ofnetworks, different number of steps or items, different storagesolutions, different triggering events, etc.

Example Devices

FIG. 8 illustrates an example network device 810 suitable for highavailability and failover. Network device 810 includes a master centralprocessing unit (CPU) 862, interfaces 868, and a bus 815 (e.g., a PCIbus). When acting under the control of appropriate software or firmware,the CPU 862 is responsible for executing packet management, errordetection, and/or routing or forwarding functions. The CPU 862 canaccomplish all these functions under the control of software includingan operating system and any appropriate applications software. CPU 862may include one or more processors 863 such as a processor from theMotorola family of microprocessors or the MIPS family ofmicroprocessors. In an alternative embodiment, processor 863 isspecially designed hardware for controlling the operations of networkdevice 810. In a specific embodiment, a memory 861 (such as non-volatileRAM and/or ROM) also forms part of CPU 862. However, there are manydifferent ways in which memory could be coupled to the system.

The interfaces 868 are typically provided as interface cards (sometimesreferred to as “line cards”). Generally, they control the sending andreceiving of data packets over the network and sometimes support otherperipherals used with the network device 810. Among the interfaces thatmay be provided are Ethernet interfaces, frame relay interfaces, cableinterfaces, DSL interfaces, token ring interfaces, and the like. Inaddition, various very high-speed interfaces may be provided such asfast token ring interfaces, wireless interfaces, Ethernet interfaces,Gigabit Ethernet interfaces, ATM interfaces, HSSI interfaces, POSinterfaces, FDDI interfaces and the like. Generally, these interfacesmay include ports appropriate for communication with the appropriatemedia. In some cases, they may also include an independent processorand, in some instances, volatile RAM. The independent processors maycontrol such communications intensive tasks as packet switching, mediacontrol and management. By providing separate processors for thecommunications intensive tasks, these interfaces allow the mastermicroprocessor 862 to efficiently perform routing computations, networkdiagnostics, security functions, etc.

Although the system shown in FIG. 8 is one specific network device ofthe present invention, it is by no means the only network devicearchitecture on which the present invention can be implemented. Forexample, an architecture having a single processor that handlescommunications as well as routing computations, etc. is often used.Further, other types of interfaces and media could also be used with therouter.

Regardless of the network device's configuration, it may employ one ormore memories or memory modules (including memory 861) configured tostore program instructions for the general-purpose network operationsand mechanisms for roaming, route optimization and routing functionsdescribed herein. The program instructions may control the operation ofan operating system and/or one or more applications, for example. Thememory or memories may also be configured to store tables such asmobility binding, registration, and association tables, etc.

FIG. 9A and FIG. 9B illustrate example system embodiments. The moreappropriate embodiment will be apparent to those of ordinary skill inthe art when practicing the present technology. Persons of ordinaryskill in the art will also readily appreciate that other systemembodiments are possible.

FIG. 9A illustrates a conventional system bus computing systemarchitecture 900 wherein the components of the system are in electricalcommunication with each other using a bus 905. Exemplary system 900includes a processing unit (CPU or processor) 910 and a system bus 905that couples various system components including the system memory 915,such as read only memory (ROM) 970 and random access memory (RAM) 975,to the processor 910. The system 900 can include a cache of high-speedmemory connected directly with, in close proximity to, or integrated aspart of the processor 910. The system 900 can copy data from the memory915 and/or the storage device 930 to the cache 917 for quick access bythe processor 910. In this way, the cache can provide a performanceboost that avoids processor 910 delays while waiting for data. These andother modules can control or be configured to control the processor 910to perform various actions. Other system memory 915 may be available foruse as well. The memory 915 can include multiple different types ofmemory with different performance characteristics. The processor 910 caninclude any general purpose processor and a hardware module or softwaremodule, such as module 1 937, module 7 934, and module 3 936 stored instorage device 930, configured to control the processor 910 as well as aspecial-purpose processor where software instructions are incorporatedinto the actual processor design. The processor 910 may essentially be acompletely self-contained computing system, containing multiple cores orprocessors, a bus, memory controller, cache, etc. A multi-core processormay be symmetric or asymmetric.

To enable user interaction with the computing device 900, an inputdevice 945 can represent any number of input mechanisms, such as amicrophone for speech, a touch-sensitive screen for gesture or graphicalinput, keyboard, mouse, motion input, speech and so forth. An outputdevice 935 can also be one or more of a number of output mechanismsknown to those of skill in the art. In some instances, multimodalsystems can enable a user to provide multiple types of input tocommunicate with the computing device 900. The communications interface940 can generally govern and manage the user input and system output.There is no restriction on operating on any particular hardwarearrangement and therefore the basic features here may easily besubstituted for improved hardware or firmware arrangements as they aredeveloped.

Storage device 930 is a non-volatile memory and can be a hard disk orother types of computer readable media which can store data that areaccessible by a computer, such as magnetic cassettes, flash memorycards, solid state memory devices, digital versatile disks, cartridges,random access memories (RAMs) 975, read only memory (ROM) 970, andhybrids thereof.

The storage device 930 can include software modules 937, 934, 936 forcontrolling the processor 910. Other hardware or software modules arecontemplated. The storage device 930 can be connected to the system bus905. In one aspect, a hardware module that performs a particularfunction can include the software component stored in acomputer-readable medium in connection with the necessary hardwarecomponents, such as the processor 910, bus 905, display 935, and soforth, to carry out the function.

FIG. 9B illustrates an example computer system 950 having a chipsetarchitecture that can be used in executing the described method andgenerating and displaying a graphical user interface (GUI). Computersystem 950 is an example of computer hardware, software, and firmwarethat can be used to implement the disclosed technology. System 950 caninclude a processor 955, representative of any number of physicallyand/or logically distinct resources capable of executing software,firmware, and hardware configured to perform identified computations.Processor 955 can communicate with a chipset 960 that can control inputto and output from processor 955. In this example, chipset 960 outputsinformation to output 965, such as a display, and can read and writeinformation to storage device 970, which can include magnetic media, andsolid state media, for example. Chipset 960 can also read data from andwrite data to RAM 975. A bridge 980 for interfacing with a variety ofuser interface components 985 can be provided for interfacing withchipset 960. Such user interface components 985 can include a keyboard,a microphone, touch detection and processing circuitry, a pointingdevice, such as a mouse, and so on. In general, inputs to system 950 cancome from any of a variety of sources, machine generated and/or humangenerated.

Chipset 960 can also interface with one or more communication interfaces990 that can have different physical interfaces. Such communicationinterfaces can include interfaces for wired and wireless local areanetworks, for broadband wireless networks, as well as personal areanetworks. Some applications of the methods for generating, displaying,and using the GUI disclosed herein can include receiving ordereddatasets over the physical interface or be generated by the machineitself by processor 955 analyzing data stored in storage 970 or 975.Further, the machine can receive inputs from a user via user interfacecomponents 985 and execute appropriate functions, such as browsingfunctions by interpreting these inputs using processor 955.

It can be appreciated that example systems 900 and 950 can have morethan one processor 910 or be part of a group or cluster of computingdevices networked together to provide greater processing capability.

For clarity of explanation, in some instances the present technology maybe presented as including individual functional blocks includingfunctional blocks comprising devices, device components, steps orroutines in a method embodied in software, or combinations of hardwareand software.

In some embodiments the computer-readable storage devices, mediums, andmemories can include a cable or wireless signal containing a bit streamand the like. However, when mentioned, non-transitory computer-readablestorage media expressly exclude media such as energy, carrier signals,electromagnetic waves, and signals per se.

Methods according to the above-described examples can be implementedusing computer-executable instructions that are stored or otherwiseavailable from computer readable media. Such instructions can comprise,for example, instructions and data which cause or otherwise configure ageneral purpose computer, special purpose computer, or special purposeprocessing device to perform a certain function or group of functions.Portions of computer resources used can be accessible over a network.The computer executable instructions may be, for example, binaries,intermediate format instructions such as assembly language, firmware, orsource code. Examples of computer-readable media that may be used tostore instructions, information used, and/or information created duringmethods according to described examples include magnetic or opticaldisks, flash memory, USB devices provided with non-volatile memory,networked storage devices, and so on.

Devices implementing methods according to these disclosures can comprisehardware, firmware and/or software, and can take any of a variety ofform factors. Typical examples of such form factors include laptops,smart phones, small form factor personal computers, personal digitalassistants, rackmount devices, standalone devices, and so on.Functionality described herein also can be embodied in peripherals oradd-in cards. Such functionality can also be implemented on a circuitboard among different chips or different processes executing in a singledevice, by way of further example.

The instructions, media for conveying such instructions, computingresources for executing them, and other structures for supporting suchcomputing resources are means for providing the functions described inthese disclosures.

Although a variety of examples and other information was used to explainaspects within the scope of the appended claims, no limitation of theclaims should be implied based on particular features or arrangements insuch examples, as one of ordinary skill would be able to use theseexamples to derive a wide variety of implementations. Further andalthough some subject matter may have been described in languagespecific to examples of structural features and/or method steps, it isto be understood that the subject matter defined in the appended claimsis not necessarily limited to these described features or acts. Forexample, such functionality can be distributed differently or performedin components other than those identified herein. Rather, the describedfeatures and steps are disclosed as examples of components of systemsand methods within the scope of the appended claims. Moreover, claimlanguage reciting “at least one of” a set indicates that one member ofthe set or multiple members of the set satisfy the claim.

We claim:
 1. A method comprising: identifying a home broadcast domain ofa wireless device in response to a communication request from thewireless device received via a first access point of a plurality ofaccess points; determining whether the wireless device is roaming basedon a determination that a broadcast domain associated with the firstaccess point is different than the home broadcast domain associated withthe wireless device from a distributed store; identifying a secondaccess point of the plurality of access points associated with the homebroadcast domain of the wireless device; and establishing, based on thedetermination that the wireless device is roaming, a tunnel between thefirst access point and the second access point.
 2. The method of claim1, further comprising: routing, via the first access point, trafficassociated with the wireless device through the tunnel and to the secondaccess point.
 3. The method of claim 1, wherein the distributed storecomprises a distributed hash table based on at least a portion of theplurality of access points, and wherein broadcast domain information isstored at a subset of the plurality of access points.
 4. The method ofclaim 1, further comprising: flooding an update to the plurality ofaccess points indicating an association between (a) the wireless deviceand (b) the home broadcast domain of the wireless device and/or thebroadcast domain associated with the first access point.
 5. The methodof claim 1, wherein the broadcast domain associated with the firstaccess point comprises a native Virtual Local Area Network (VLAN)associated with the first access point.
 6. The method of claim 5,further comprising: sending, via the first access point, at least onebroadcast message to other access points on the broadcast domain, the atleast one broadcast message having an identification of the broadcastdomain.
 7. The method of claim 1, further comprising: identifying afailure associated with the tunnel; sending a request to third accesspoint on the home broadcast domain of the wireless device; receiving areply from the third access point on the home broadcast domain of thewireless device; and establishing a second tunnel between the thirdaccess point and the first access point.
 8. A system on a wirelessnetwork, the system comprising: a processor; and a non-transitorycomputer-readable storage medium having stored therein instructionswhich, when executed by the processor, cause the processor to performoperations comprising: identifying a home broadcast domain of a wirelessdevice in response to a communication request from the wireless devicereceived via a first access point of a plurality of access points;determining whether the wireless device is roaming based on adetermination that a broadcast domain associated with the first accesspoint is different than the home broadcast domain associated with thewireless device from a distributed store; identifying a second accesspoint of the plurality of access points associated with the homebroadcast domain of the wireless device; and establishing, based on thedetermination that the wireless device is roaming, a tunnel between thefirst access point and the second access point.
 9. The system of claim8, wherein the operations include routing traffic associated with thewireless device through the tunnel and to the second access point. 10.The system of claim 8, wherein the tunnel comprises one of a layer 2protocol tunnel or a virtual private network tunnel.
 11. The system ofclaim 8, wherein a network identification (ID) and/or a network tagassociated with the wireless device are retrieved from the distributedstore.
 12. The system of claim 8, wherein the distributed storecomprises a distributed hash table stored at the plurality of accesspoints on the wireless network.
 13. The system of claim 8, wherein theoperations include: identifying a failure associated with the tunnel;sending a request to third access point on the home broadcast domain ofthe wireless device; receiving a reply from the third access point onthe home broadcast domain of the wireless device; and establishing asecond tunnel between the third access point and the first access point.14. The system of claim 13, wherein the operations include routing, viathe first access point, traffic associated with the wireless devicethrough the second tunnel and to the third access point.
 15. Anon-transitory computer-readable storage medium having stored thereininstructions which, when executed by a processor, cause the processor toperform operations comprising: identifying a home broadcast domain of awireless device in response to a communication request from the wirelessdevice received via a first access point of a plurality of accesspoints; determining whether the wireless device is roaming based on adetermination that a broadcast domain associated with the first accesspoint is different than the home broadcast domain associated with thewireless device from a distributed store; identifying a second accesspoint of the plurality of access points associated with the homebroadcast domain of the wireless device; and establishing, based on thedetermination that the wireless device is roaming, a tunnel between thefirst access point and the second access point.
 16. The non-transitorycomputer-readable storage medium of claim 15, wherein the operationsinclude routing traffic associated with the wireless device through thetunnel and to the second access point.
 17. The non-transitorycomputer-readable storage medium of claim 15, wherein the tunnelcomprises one of a layer 2 protocol tunnel or a virtual private networktunnel.
 18. The non-transitory computer-readable storage medium of claim17, wherein a network identification (ID) and/or a network tagassociated with the wireless device are retrieved from the distributedstore.
 19. The non-transitory computer-readable storage medium of claim15, wherein the distributed store comprises a distributed hash tablestored at the plurality of access points on a wireless network of thefirst access point.
 20. The non-transitory computer-readable storagemedium of claim 15, wherein the operations include: identifying afailure associated with the tunnel; sending a request to third accesspoint on the home broadcast domain of the wireless device; receiving areply from the third access point on the home broadcast domain of thewireless device; and establishing a second tunnel between the thirdaccess point and the first access point.